Integration with AAD using REST invoke method and Microsoft Graph

Applies to version 2019.1.4.x; Author: Michał Bednarz

When implementing a system based on AAD authentication it might be necessary to create user management in O365 from the WEBCON BPS level. WEBCON BPS provides dedicated actions for local AD. You can use the standard actions available in WEBCON BPS (REST invoke action) and REST Service Microsoft Graph. 

1. Preparing the application in the AAD

Register a new application in the AAD management console. It is done in a similar manner to registering an application to synchronize BPS user list. 

The difference is in the API Permissions window, a new application should be granted following privileges: 

2. Creating user in AAD with REST invoke method

Methods which we can use in order to manage user’s object in AAD are described here: https://docs.microsoft.com/en-us/graph/api/resources/users?view=graph-rest-beta. User is created by using: https://docs.microsoft.com/en-us/graph/api/user-post-users?view=graph-rest-beta&tabs=http

It is a good idea to create a User ID form field – it will store user’s ID from AAD, ID will be required for a further management over the created user.

2.1. Data source configuration for Graph connection

Data required for authentication is downloaded from the application configuration with AAD analogously as with the application to synchronize BPS users list. 

2.2. REST Invoke Method – creating AAD user

In the first tab select a previously configured connection:

In the next tab, configure REST suffix and select a HTTP method, if creating a new user set it to POST:

Next step is transferring the user object in JSON format, form field list of the user workflow is available in Graph documentation.

If you want to transfer response data to the BPS instance a Response tab configuration is also required. When invoking Graph, value loading will fail if the JSON tab has parameters (variables). To bypass that problem fill in necessary data on JSON tab. Do it once during the configuration. Important: Loading configuration will cause invoking the method and will create user. In this specific case we are interested in the created object’s ID:

2.3. REST action configuration – creating a AAD group

For groups use this object: https://docs.microsoft.com/en-us/graph/api/resources/group?view=graph-rest-beta and following method https://docs.microsoft.com/en-us/graph/api/group-post-groups?view=graph-rest-beta&tabs=http

Autentication and Request data tab configuration is analogous to creating a user.

In JSON tab choose form fields for the AAD group:

In the Response tab load data in an analogous way as when creating a user, save new object ID in a specific form field:

2.4. REST action configuration – managing AAD groups content

Similarly as in the previous paragraph, we will use a Group object, and more specifically, we will add a user to the group https://docs.microsoft.com/en-us/graph/api/group-post-members?view=graph-rest-beta&tabs=http

Authentication tab configuration is analogous as in the previous actions.

In Request data tab’s REST suffix field point to the AAD group’s ID where the modifications are taking place. HTTP method is still POST:

In JSON tab pass the object of the user which we want to add to the group:

When modifying group content Graph returns HTTP 204 status when it succeeded. There is no need to modify Response tab (response body is empty).

When implementing advanced scenarios, AAD’s objects’ ID can be downloaded from CacheOrganizationStructure table. But only if the AAD is the synchronization source of the BPS user list.

With these examples we presented only a handful of possibilities from many available by Microsoft Graph.